CVE-2017-17562: GoAhead httpd 2.5 – 3.5 Remote Code Execution Vulnerability

Today, a remote code execution vulnerability (CVE-2017-17562) exists in all versions of GoAhead Web Server that broke before 3.6.5. The vulnerability stems from initializing a fork CGI script environment with untrusted HTTP request parameters and affects all users with dynamic link executable (CGI script) support enabled. When used in conjunction with the glibc dynamic linker, remote code execution can be implemented using special variables such as LD_PRELOAD. December 18, 2017, For PoC disclosure for this exploit, please remediate affected users with timely updates.

Affected version
GoAhead Web Server Version <3.6.5

Unaffected version
GoAhead Web Server Version> = 3.6.5

Poc

This vulnerability affects users with a dynamically linked executable on the Linux server and checks to see if the current version of GoAhead Web Server is affected. There is a risk if the current version is below 3.6.5.

Version detection can use the following command:

Security researchers have now provided a POC for the goahead remote code execution vulnerability as follows:

https://github.com/elttam/advisories/tree/master/CVE-2017-17562

With this test script, you can verify your own assets and provide timely protection against this vulnerability. For the protection scheme, refer to the Chapter 4 Protection Scheme section.

Test results as shown below:

Reference: mitre